ISO 27001 A.5.22: Monitoring, review and change management of supplier services
What This Control Requires
The organization shall regularly monitor, review, evaluate and manage change in supplier information security practices and service delivery.
In Plain Language
Assessing a supplier's security at sign-up and then never looking again is one of the most common mistakes organisations make. Suppliers change - their infrastructure evolves, they acquire new sub-processors, key staff leave, and their risk profile shifts over time.
This control is about continuous oversight. You need to regularly verify that suppliers still meet the security requirements you agreed on, monitor their service delivery, review their audit reports, and keep an eye on any changes they make that could affect your security posture.
Change management is especially important here. When a supplier changes their infrastructure, moves data to a new location, or switches sub-processors, you need to know about it and evaluate the impact before it becomes your problem.
How to Implement
Set up a supplier monitoring programme scaled to risk. Define what you monitor, how often, and who is responsible. High-risk suppliers get quarterly reviews; lower-risk ones might only need annual checks.
Regular monitoring should include: reviewing SOC 2 Type II reports or ISO 27001 surveillance audit results annually, tracking SLA performance, evaluating supplier security incidents, checking their vulnerability management and patching practices, assessing the impact of any changes they make, and periodically sending updated security questionnaires.
Establish a supplier change management process. Require suppliers to notify you of significant changes - infrastructure moves, new sub-processors, changes to data processing locations, security control modifications, key personnel departures. Evaluate each change for security impact and approve or push back before implementation.
Hold regular review meetings with critical suppliers - quarterly works well. Include security on the agenda alongside performance. Review security metrics, incidents, audit findings, and upcoming changes. Document outcomes and track action items to completion.
Maintain a centralised view of supplier risk. Use a third-party risk management platform or a well-maintained register to track assessments, compliance status, incident history, and review schedules. Report the overall supplier risk picture to management regularly. Have a defined escalation path for suppliers who fall short, up to and including termination if necessary.
Evidence Your Auditor Will Request
- Supplier monitoring schedule and records of monitoring activities
- Recent supplier audit report reviews with documented assessments
- Supplier service review meeting minutes including security topics
- Records of supplier change notifications and impact assessments
- Supplier risk dashboard or register showing current compliance status
Common Mistakes
- Supplier security is assessed at onboarding but never reviewed again during the relationship
- SOC 2 reports from suppliers are received but not reviewed or assessed
- No process for suppliers to notify the organization of security-relevant changes
- Supplier service reviews focus on performance metrics but ignore security topics
- Issues identified in supplier reviews are not tracked to resolution
Related Controls Across Frameworks
| Framework | Control ID | Relationship |
|---|---|---|
| SOC 2 | CC9.2 | Related |
| GDPR | Art.28(3)(h) | Related |
| NIS2 | Art.21(2)(e) | Related |
Frequently Asked Questions
How do we review a supplier's SOC 2 report effectively?
What should trigger an unscheduled supplier review?
Track ISO 27001 compliance in one place
AuditFront helps you manage every ISO 27001 control, collect evidence, and stay audit-ready.
Start Free Assessment